The Cloud Security Alliance (CSA), a non-profit organization, recently published its findings on the state of cloud security practices.
The survey, "State of Cloud Security Concerns, Challenges, and Incidents" reflects the experience and perspective of nearly 1,900 InfoSec practitioners. Respondents represented various market segments around the world.
The number of respondents running 41% or more of their workloads in the public cloud doubled in two years, from 25% in 2019 to 50% in 2021. Further, 63% of respondents expect to exceed the 41% threshold this year.
A clear majority of respondents use security capabilities from cloud providers. Seventy-four percent use "native security controls." Impressively, 71% use "additional security controls" offered by the provider.
Amazon Web Services, Microsoft Azure, and Google Cloud Platform have long offered basic features like identity access management and encryption. All three providers have expanded to support sophisticated DDoS protection, hardware security modules, and managed security for IoT devices.
Still, the survey suggests a need for greater security capabilities. Nearly half of the survey respondents (49%) use virtual editions of traditional firewalls to guard their public cloud deployments. Further, 22% use host-based enforcement tools for added protection.
CSA predicts that cloud complexity will continue to grow. Broad multi-cloud usage, and different runtime options further complicate system administration.
Accordingly, respondents seek extra tooling to manage dynamic cloud environments. The top desire is "clear visibility (topology, policy) for the entire hybrid network estate (multi-cloud and on-prem)." Other priorities include proactive detection of network risks and misconfiguration risks.
The uptick in public cloud services seem to corroborate recent forecasts on public cloud spending. Gartner Research projected public cloud spending would "grow 18.4% in 2021 to total $304.9 billion, up from $257.5 billion in 2020." Surveys from the Cloud Native Computing Foundation and Flexera also found rapid growth in public cloud usage.
Respondents were largely satisfied with their expanded public cloud footprint. Public cloud providers met or slightly exceeded expectations in four areas (reduced cost, increased agility and elasticity, devops-friendly, improved uptime).
Public cloud usage over time, by percentage of workload, according to a survey of nearly 1,900 practitioners. Source: "State of Cloud Security Concerns, Challenges, and Incidents"
Responsibility for security in the public cloud appeared murky, with no clear consensus. The most popular selections were Security Operations (35%), Cloud Team (18%), and IT Operations (16%). Despite increased industry chatter for "DevSecOps," DevOps engineers/managers (9%) placed a distant fifth.
In a recent interview, John Yeoh, global vice president of research for the CSA, noted that ownership of cloud security is still evolving.
Respondents also answered questions on breaches and outages. A plurality of respondents were unsure if a breach had occurred (41%), a notable jump from 2019, when only 18% were unsure.
The survey asked about the root causes of incidents. Top responses were cloud provider issues (26%), security misconfiguration (22%), and security attacks such as denial of service (20%). The CSA postulated that “several of the top contributors can be tied back to human error or misconfiguration.”
Misconfiguration has long loomed as a key issue. Gartner recently projected "75% of security failures will result from inadequate management of identities, access, and privileges" by 2023. That’s an increase from 50% in 2020.
The severity of the most disruptive outage remained high by one metric. CSA data suggests that the most disruptive incidents still take longer than three hours to resolve for over 25% of the respondents. The figure has remained constant since 2019.
CSA conducted the survey online from December 2020 to January 2021. The organization regularly writes reports and whitepapers, and conducts surveys, all related to cloud computing.
Complete survey results are available on the Cloud Security Alliance website. Registration is required. A webcast summarizing the findings is available on-demand.